Application Security Engineer

  • Not Specified
  • Tel-Aviv, Tel Aviv Region, Israel
  • CDI, Plein-temps
  • BlackRock
  • 17 oct. 17 2017-10-17

Team Overview:     The Application Security team acts as a trusted assessor and risk advisor for the application development teams. The team comprises of junior and senior security engineers with expertise in application security and penetration testing.  The team is the go-to team if

Team Overview:
 
 
The Application Security team acts as a trusted assessor and risk advisor for the application development teams. The team comprises of junior and senior security engineers with expertise in application security and penetration testing.  The team is the go-to team if one needs to get an attacker’s perspective on any technology.   Your colleagues will be individuals who are passionate about technology and stay current with the knowledge of new attacks, vulnerabilities and security technologies.  The Application Security team is a part of the Global Information Security (GIS) Team within the Technology and Operations umbrella.  The team interacts with the numerous Software Development teams in issues as they relate to application security.
 
Key Responsibilities:
 
 
The key responsibilities of the role are as follows:
 

  • Individual contributor responsible for reviewing the security of the source code and security of the libraries used

  • Engage with development teams and/or senior management across various teams to influence efficient and effective fixes for application vulnerabilities

  • Review and own the issues from Static Analysis and Interactive application security testing tools

  • Create a software source code review process that is a part of the development cycles (SDLC, Agile, CI/CD)

  • Educate the developers on the vulnerabilities that are found and translate the vulnerabilities into business risks

  • Validate if the issues are fixed and work with the developers to suggest good ways to fix issues

  • Familiar with tools such as Bugzilla, JIRA, Issue trackers, GitHub, SVN, IDEs such as eclipse/IntelliJ and build tools such as Ant, etc.

  • Contribute to the Software Security Standards with commonly found vulnerabilities

  • Present a quarterly state of source code security to the CISO and a bi-annual educational session of commonly seen vulnerabilities for the development teams

  • Create proof-of-concept to validate the fixes or educate the developers on how certain vulnerabilities can be exploited

  • Create static code analysis tools where automated tools cannot

  • Be able to understand and assess application risks and mitigation methods or compensating controls

Knowledge/Experience:
 
 
Candidates will be evaluated based on their ability to perform the duties listed above while demonstrating the skills and competencies necessary to be highly-effective in the role. These skills and competencies include:
 

  • Strong manual code review skills in Java, C/C++. Python, Perl

  • Network and application Penetration Testing experience

  • Understand essentials of cryptography, operating systems, network security, application security such as understanding of gcc, Java, Perl and Python

  • Proficiency in English for written and verbal communication

  • Familiarity with tools such as Veracode, Fortify, Contrast, CheckMarx, Coverity, FindBugs, etc.

  • Understanding of security of web applications, thick-client applications, RESTful web services, virtualization, docker, kubernetes, etc

  • Ability to multitask and be able to juggle different tasks with ease

Candidates will be evaluated primarily upon their ability to demonstrate the competencies required to be successful in the role, as described above. For reference, the typical work experience and educational background of candidates in this role are as follows:



  • BS/MS in Business, Computer Science, Information Security, or a related field

  • 8+ years of work experience as source code reviewer or code analyzer

  • 8+ years of security, in an Application Risk Analysis role

  • Relevant certifications are a plus (e.g., OSCP, OSCE, OSEE)